Quantum factoring, discrete logarithms 
and the hidden subgroup problem 



Richard Jozsa 

Department of Computer Science, University of Bristol, 
Woodland Road, Bristol BS8 1UB U.K. 

Abstract 

■ Amongst the most remarkable successes of quantum computation are Shor's efficient 

quantum algorithms for the computational tasks of integer factorisation and the evalu- 
fNj ■ ation of discrete logarithms. In this article we review the essential ingredients of these 

| algorithms and draw out the unifying generalization of the so-called abelian hidden sub- 

group problem. This involves an unexpectedly harmonious alignment of the formalism 
| of quantum physics with the elegant mathematical theory of group representations and 

fourier transforms on finite groups. Finally we consider the non- abelian hidden subgroup 
problem mentioning some open questions where future quantum algorithms may be ex- 
pected to have a substantial impact. 



> 

^ : 1 Introduction 

O , 

Quantum algorithms exploit quantum physical effects to provide new modes of computation 
which are not available to "conventional" (classical) computers. In some cases these modes 
provide efficient (i.e. polynomial time) algorithms for computational tasks where no efficient 
classical algorithm is known. The most celebrated quantum algorithm to date is Shor's 
Ck algorithm for integer factorisation 0, ||, |l0| . It provides a method for factoring any integer of 

n digits in time (i.e. in a number of computational steps) that grows less rapidly than 0(n 3 ). 
Thus it is a polynomial time algorithm in contrast to the best known classical algorithm for 
this fundamental problem, which runs in superpolynomial time of order exp(ns (logn)3). 

At the heart of the quantum factoring algorithm is the discrete Fourier transform and the 
remarkable ability of a quantum computer to efficiently determine periodicities. This in turn 
rests on the mathematical formalism of fast Fourier transforms combined with principles of 
quantum physics. In this article we will review these issues including further applications 
such as the evaluation of discrete logarithms. We will outline a unifying generalization of 
these ideas: the so-called hidden subgroup problem which is just a natural group theoretic 
generalization of the problem of periodicity determination. Finally we will consider some 
interesting open questions related to the hidden subgroup problem for non-abelian groups, 
where future quantum algorithms may be expected to have a substantial impact. 

We may think of periodicity determination as a particular kind of pattern recognition. 
Quantum computers are able to store and process large volumes of information, represented 
compactly in the identity of an entangled quantum state, but quantum measurement theory 
severely restricts our access to the information. Indeed only a relatively small amount of 
the information may be read out but this may be of a "global" nature, such as a few broad 
features of a large intricate pattern, which may be impossible to extract efficiently by classical 
means. This intuition is exemplified in the earliest quantum algorithm, known as Deutsch's 
algorithm |p!fj| . Here we are given a black box that computes a Boolean function of n variables 
(i.e. a function of all n bit strings with one-bit values). It is promised that the function is 
either a constant function or 'balanced' in the sense that exactly half of the values are and 
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half are 1. We wish to determine with certainty whether the given function is balanced or 
constant, using the least number of queries to the box. Thus we are asking for one bit of 
information about the 2 n values of the function. Classically 2 n_1 + 1 queries are necessary 
in the worst case (if the problem is to be solved with certainty) but quantumly the problem 
can be solved in all cases with just one query [1C]. However if we tolerate any arbitrarily 
small probability of error in the answer then there is also a classical algorithm using only a 
constant number of queries. 

Inspired by these results, Simon j|] considered a more complicated situation of a class of 
functions from n bits to n bits and developed a computational task displaying an exponential 
gap between the classical and quantum query complexities, even if (in contrast to Deutsch's 
algorithm) the algorithm is required to work only with bounded error probability of 1/3 i.e. 
we allow probabilistic algorithms and in any run the answer must be correct with probability 
at least 2/3. 

In retrospect (c.f. below) Simon's problem turns out to be an example of a "generalized 
periodicity" or hidden subgroup problem, for the group of n bit strings under binary bitwise 
addition. Shor recognized the connection with periodicity determination and generalized the 
constructions to the group of integers modulo N, showing significantly that the associated dis- 
crete Fourier transform may be efficiently implemented in that context as well. Finally using 
known reductions of the tasks of integer factorisation and evaluation of discrete logarithms 
to periodicity determinations, he was able to give polynomial time quantum algorithms for 
these computational tasks too. 



2 The quantum Fourier transform and periodicities 

We begin with an account of how a quantum computer may efficiently determine the peri- 
odicity of a given periodic function. Consider the following basic example. Suppose that we 
have a black box which computes a function / : Z^ — * Z that is guaranteed to be periodic 
with some period r: 

f(x + r) = f(x) for all x (1) 

Here Zjy denotes the additive group of integers modulo N. We also assume that / does not 
take the same value twice within any single period. Note that eq. (|l|) can hold only if r 
divides ./V exactly. 

Our aim is to determine r. Classically (in the absence of any further information about 
/) we can merely try different values of x in the black box hoping for two equal results which 
will then give information about r. Generally we will require 0(N) random tries to hit two 
equal values with high probability. Using quantum effects we will be able to find r using 
only 0((logiV) 2 ) steps, which represents an exponential speedup over any known classical 
algorithm. 

In the quantum context we assume the black box is a coherent quantum process which 
evolves the input state \x) |0) to \x) \ f(x)} i.e. the values of x and f(x) are labels on a suitable 
set of orthogonal states. We begin by computing all values of / in equal superposition, using 
one application of the box. To do this we set up the input register in the equal superposition 
-7= J2x l x )> a PPly the function and obtain the state: 

-. JV-l 

\f) = -mT, W I/O*)) ( 2 ) 
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Although the description of this state embodies all the values of / and hence the periodicity, 
it is not immediately clear how to extract the information of r! If we measure the value in 
the second register, giving a value yo sa y> then the state of the first register will be reduced 
to an equal superposition of all those \x)'s such that /(x) = yo- If xo is the least such x and 
N = Kr then we will obtain in the first register the periodic state 



1 K ~ l 



E l x o + kr) (3) 



K k=0 

It is important to note here that < xq < r — 1 has been generated at random, corresponding 
to having seen any value yo of / with equal probability. So if we now measure the value in 
this register, the overall result is merely to produce a number between and N — 1 uniformly 
at random, giving no information at all about the value of r. 

The resolution of this difficulty is to use the Fourier transform which, even for classical 
data, is known to be able to pick out periodic patterns in a set of data regardless of how the 
whole pattern is shifted. The discrete Fourier transform T for integers modulo ./V is the iV 
by N unitary matrix with entries 

r^TS^-TS^ (4) 

where we have introduced the functions 

Iffi 

Xi(m) = exp2vri — . (5) 
If we apply this unitary transform to the state \ip) above then we obtain || 



N\ 

j~ ( 6 ) 



r 



Indeed a direct calculation shows that the labels which appear with non-zero amplitude are 
those values of I satisfying 

Xi(r) = e 2 ^ = 1 (7) 

i.e. Ir is a multiple of N and furthermore they appear with equal squared amplitudes. This 
calculation uses the periodic structure of eq. (H) and the elementary identity 

E k 1 / 27r ji_\ fc _ J if / is not a multiple of K . . 

l e K ) ~ \ K if I is a multiple of K l S 1 



k=0 



It is important to note here that the random shift xo no longer appears in the ket labels. 
If we now read the label we will obtain a value c say, which is necessarily a multiple of N/r 
i.e. c = XN/r . Thus we can write 

Jy r 

where c and N are known numbers and and < A < r — 1 has been chosen uniformly at 
random by the measurement. Now if the randomly chosen A is fortuitously coprime to r 
(i.e. A and r have no common factors) we can determine r by cancelling c/N down to an 
irreducible fraction. What is the probability that a randomly chosen r actually is coprime 
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to r? According to a basic theorem of number theory (c.f. ||, |2| and appendix A of [§), the 
number of co-primes less than r goes as e _7 r/ log log r (where 7 is Euler's constant) for large 
r. Thus the probability that our randomly chosen A is coprime to r is 0(1/ log log r) which 
exceeds 0(1/ log log N). Hence if we repeat the above procedure O(loglogiV) times we can 
succeed in determining r with any prescribed probability 1 — e as close to 1 as desired. 

We noted above that we want our quantum algorithm to run in time poly(log N) i.e. in a 
number of steps which is polynomial in log N rather than iV itself, to achieve an exponential 
speed up over any known classical algorithm for determining periodicity. We showed above 
that merely 0(log log N) repetitions suffice to determine r but there is still a significant gap in 
our argument: the Fourier transform T that we used is a large non-trivial unitary operation, 
of size iV by N, and we cannot ab initio just assume that it can be implemented using only 
poly (log N) basic computational operations. Indeed it may be shown that any d by d unitary 
operation may be implemented on a quantum computer (equipped with any universal set of 
operations) in 0(d 2 ) steps [||. This is also the number of steps needed for the classical 
computation of multiplying a d by d matrix into a d dimensional column vector. For our use 
of T this bound of 0(iV 2 ) does not suffice. Fortunately the Fourier transform (FT) has extra 
special properties which enable it to be implemented in 0((logiV) 2 ) steps. These properties 
stem from the classical theory of the fast Fourier transform (FFT) |l2j which shows how to 
reduce the 0(iV 2 ) steps of classical matrix multiplication to 0(N log N) steps. If the same 
ideas are implemented in a quantum setting then it may be seen [||, |llj that the number of 
steps is reduced to 0((logiV) 2 ) giving our desired implementation. Note also that according 
to eq. (||) we have 

, N-l 

^10) = 4=El s ) 

to 

so that once we have an efficient implementation of T we will be able to efficiently produce 
the uniform large superposition in the input register, necessary to get |/) in eq. (Q). 

The technical details of the efficient implementation of FT are given in §3 of [|1J but the 
essential idea is the following. We will be able to efficiently implement FT in dimensions 
which are powers of 2 rather than arbitrary N. Thus we use the smallest power of 2 that 
is larger than N. (In later applications this slight mismatch of dimensions can be shown to 
not cause problems, although the rigorous demonstration of this @ can become technically 
complicated). Let n denote the least integer greater than log 2 N. Then the required Fourier 
transform FT is a unitary operation on n qubits. The FFT formalism gives an explicit way 
of decomposing FT on n qubits into a sequence of gates where each gate acts on at most two 
qubits and the length of the sequence is polynomial in n (actually 0(n 2 )). FT is a very special 
operation in this regard - a general unitary operation would require a sequence of exponential 
length! Consider now the action of a 2-qubit gate U on a state \a) of n qubits. Suppose that 
U acts on the first two qubits and that U has matrix elements Uj^j* in a standard product 
basis of the n qubit state space. Suppose that \a) has components a^...^ (where all indices 
range over the values and 1). The components of the updated state are given by matrix 
multiplication: 

This update counts as one step of quantum computation (or more precisely a constant number, 
independent of n to implement U) and the FFT decomposition amounts to an implementation 
of FT in 0(n 2 ) steps on a quantum computer. In contrast if eq. (|lO|) is viewed as a classical 
computation, we must perform a 4 x 4 matrix multiplication 2 n_2 times (for all values of the 
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string 23 . . . i n ). This ultimately gives an implementation of FT with 0(n2 n ) classical steps, 
which is the standard fast Fourier transform algorithm. 

In summary, the quantum algorithm for determining the periodicity of a given function 
/, with TV inputs, begins with the computation of all values of / in superposition using one 
application of FT and one evaluation of /. FT is then applied to pick out the periodic 
structure of the resulting state. The quantum implementation of the FFT algorithm guaran- 
tees that FT may be implemented in poly(log N) steps. An analogous classical computation 
would require 0(N) invocations of / to compute a column vector of all the function values 
and then 0(N log N) steps to perform the FFT. Thus the quantum algorithm represents an 
exponential speedup. 



3 Quantum factoring 

The problem of integer factorisation is the following: given a number N, of n = log 2 N digits, 
we wish to determine a number k (not equal to 1 or N) which divides N exactly. We now 
outline how this problem may be reduced to a problem of periodicity determination for a 
suitable periodic function /. Then the quantum algorithm described in the preceding section 
will achieve the factorisation of N in poly(n) time i.e. polynomial in the number of digits of 
N. 

We note first that there is no known classical algorithm which will factorise any given N 
in a time polynomial in the number of digits of N. For example the most naive factoring 
algorithm involves test-dividing N by each number from 1 to y/~N (as any composite N 
must have a factor in this range). This requires at least y/~N steps (at least one step for 
each trial factor) and yN = 2^ n is exponential in n. In fact using all the ingenuity of 
modern mathematics, the fastest known classical factoring algorithm runs in a time of order 

12 

exp(n3 (logn)3). 

To reduce the problem to a problem of periodicity we will need to use some basic results 
from number theory. These are further described in the appendix of || and complete expo- 
sitions may be found in most standard texts on number theory such as Qj. We begin by 
selecting a number a < N at random. Using Euclid's algorithm, we compute in poly(logA r ) 
time, the highest common factor of a and N. If this is larger than 1, we will have found a 
factor of N and we are finished! However it is overwhelmingly likely that a randomly chosen 
a will be coprime to N (e.g. if N is the product of two large primes). If a is coprime to 
N, then Euler's theorem of number theory guarantees that there is a power of a which has 
remainder 1 when divided by N. Let r be the smallest such power: 

a r = 1 mod N and r is the least such power (11) 

(If a is not coprime to N then no power of a has remainder 1). r is called the order of a 
modulo N. Next we show that the information of r can provide a factor of N. 

Suppose that we have a method for determining r (c.f. later) and suppose further that r 



comes out to be an even number. Then we can rewrite eq. (11) as a r — 1 = mod N and 
factorise as a difference of squares: 



[a 



r/2 



l)(a r/2 + 1) = mod N (12) 



Let a = a T l 2 — 1 and (3 = a r ^ 2 + 1. Then N exactly divides the product a/3. If neither a nor 
(3 is a multiple of N then N must divide partly into a and partly into (3. Thus computing 



5 



the highest common factor of N with a and (3 (again using Euclid's algorithm) will generate 
a non-trivial factor of N. 

As an example take N = 15 and choose the coprime number a = 7. By computing the 
powers of 7 modulo 15 we find that 7 4 = 1 mod 15 i.e. the order of 7 modulo 15 is 4. Thus 
15 must exactly divide the product (7 4//2 - 1)(7 4 / 2 + 1) = (48)(50). Computing the highest 
common factor of 15 with 50 and 48 gives 5 and 3 respectively, which are indeed nontrivial 
factors of 15. 

Our method will give a factor of N provided that r comes out to be even and that neither 
of (a r ' 2 ± 1) are exact multiples of N, To guarantee that these conditions occur often enough 
(for randomly chosen o's) we have 

Theorem: Let N be odd and suppose that a < N coprime to iV is chosen at random. Let r 
be the order of a modulo N. Then the probability that r is even and a r ' 2 ± 1 are not exact 
multiples of N is always > \. 

The (somewhat lengthy) proof of this theorem may be found in appendix B of ||, to which 
we refer the reader for details. 

Overall, our method will produce a factor of N with probability at least half in every case. 
This success probability may be amplified as close as desired to 1, since K repetitions of the 
procedure (with K constant independent of N) will succeed in factorising N with probability 
exceeding 1 — -^ K . 

All steps in the procedure, such as applying Euclid's algorithm and the arithmetic manip- 
ulation of numbers, can be done in poly(n) time. The only remaining outstanding ingredient 
is a method for determining r in poly(log N) time. Consider the exponential function: 

/(a?) = a x mod N (13) 

Now eq. ( [Tl] ) says precisely that / is periodic with period r i.e. that f(x+r) = f(x). Thus we 
use the quantum algorithm for periodicity determination, described in the previous section, 
to find r. To apply the algorithm as stated, we need to restrict the scope of x values in eq. 
Qi~3D to a finite range < x < q for some q. If q is not an exact multiple of (the unknown) r 
i.e. q = Ar + 1 for some < t < r, then the resulting function will not be exactly periodic - 
the single final period over the last t values will be incomplete. However if q is chosen large 
enough, giving sufficiently many intact periods of /, then the single corrupted period will 
have negligible effect on the use of the q by q Fourier transform to determine r, as we might 
intuitively expect. In fact it may be shown that if q is chosen to have size 0(N 2 ) then we get 
a reliable efficient determination of r. For the technical analysis of this imperfect periodicity 
(involving the theory of continued fractions) we refer the reader to J?], ||] . q is also generally 
chosen to be a power of 2 to allow an efficient implementation of FT via the FFT formalism. 

4 Evaluation of discrete logarithms 

In the previous section we showed how the problem of factoring may be reduced to a question 
of periodicity of a function on Zn, the additive group of integers modulo N. We now introduce 
the problem of discrete logarithms and show how it may also be reduced to a slightly more 
general kind of periodicity - on the additive group of pairs of integers modulo N. These 
important special cases provide the basis for the generalization in the next section to an 
elegant and natural group theoretic setting. 

Let p be a prime number and let Z* denote the group of integers {1, 2, ... ,p — 1} under 



6 



multiplication modulo p. Note that for general values of m the set Z^ = {1, 2, . . . , m — 1} 
is not a group under multiplication modulo m as we do not generally have multiplicative 
inverses (e.g. in Zq there is no number x satisfying 3x = 1 mod 6 i.e. 3 has no inverse) but 
if p is prime then Z* is always a group. 

A number g in Z* is called a generator (or primitive root mod p) if the powers of g 
generate all of Z* i.e. Z* = {g° = 1, g 1 , g 2 , . . . , g p ~ 2 }. (For example in Z\ 2 and 3 are 
generators but 1 and 4 are not). Thus every element x of Z* may be written uniquely as 
x = g y for some y in Z p —\. y is called the discrete logarithm of x (with respect to g) and 
we write y = log 9 x. Note that multiplication of x's mod p corresponds to addition of y's 
mod (p — 1) so a generator provides a way of identifying Z* as Z p -\. 

The problem of discrete logarithms is the following: we have p and a generator g of Z*. 
For any x £ Z* we want to compute its discrete logarithm y = log g x. Let n be the number 

1 2 

of digits of p. The fastest known classical algorithm runs in time of order exp(n3 (logn)s) 
whereas our quantum algorithm will run in time less than 0(n 3 ). 

We begin by noting that multiplicative inverses in Z* may be computed efficiently using 
Euclid's algorithm. Indeed for any x we have the highest common factor of x and p being 1 
so Euclid's algorithm provides integers a and b such that ax + bp = 1 so ax = 1 mod p and 
a is the desired inverse. 

Consider G = Z p _\ x Z p _i, the additive group of pairs of integers and for given x,g,p, 
the function / : Z p -\ x Z p ~\ — > Z* given by 

f(a, b) = g a x~ b mod p 

which is computable in time poly(n). In terms of the discrete logarithm y = log^x we have 

f(a, b) = g a - yb mod p 

so 

f(a 1 ,b 1 ) = f(a 2 ,b 2 ) if and only if (a 2 , b 2 ) = (ai, b\) + X(y, 1) for A e Z p -\. 

Thus the pair (y, 1) is the period of / on its product domain. To determine y our quantum 
algorithm will follow the standard period-finding procedure of section 2, slightly generalized 
to deal with the fact that the domain consists of pairs rather than just single numbers. 

We consider a Hilbert space with an orthonormal basis {\a) \b) : a,b £ Z p -i} labeled by 
the elements of G and begin by computing an equal superposition of all values of /; 

l/) = r 1 T El a )l 6 )l/(«^))- 

P a,b 

If we measure the last register and see a value = f(aQ, bo) we obtain the periodic state 

1 p-2 

|V>> = , f E l°o + k v) l 6 o + k) . 

To eliminate the dependence of the labels on the randomly chosen (ao,&o) we apply ■?*") the 
Fourier transform modulo (p — 1) to each of the two registers. The calculations are very 
similar to those for factoring (c.f. eq. (j8|)). Let us introduce the functions 

, ah + bl 2 
XhMa,b) =exp2vrz( — ). 
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Then (similar to eq. (0)) J 7 (^) J 7 will yield an equally weighted superposition of those 
labels (Zi, £2) such that Xh,h(y> 1) = 1 i- e - vh + h = mod p — 1 so £2 = — yl\ mod p — 1 and 
£1 = 0, 1, . . . ,p — 2. Explicitly we have 

F®F\1>) = -7±=r E exp 2 m ( aoh ~ h f l ) IMI-^i)- 
v^T^o P-l 

Then a measurement of the labels will provide a pair (£1, £2) = (£i, — 2/£i mod p — 1) where 
l\ € is chosen uniformly at random. If l\ happens to be coprime to p — 1 we can 

use Euclid's algorithm to find ££" , the multiplicative inverse modulo p — 1, and compute y 
as — £2- If £1 is not coprime to p — 1 then we cannot uniquely determine y from (£i,£2). 
What is the probability that a uniformly chosen l\ is coprime to p — 1? In section 2 we 
saw that this probability will be of order l/loglog(p — 1) and so to determine y with high 
probability we will need to repeat our algorithm a very modest O(loglogp) times (which is 
even exponentially smaller than our goal of poly (log p) times). 

As in the case of factoring there is the residual issue of efficiently implementing the Fourier 
transform that is used. To take advantage of the FFT formalism we would want to use FT 
for integers modulo a power of 2 (instead of modulo p — 1). Let 2* be the smallest power of 
2 greater than p — 1, so t is the smallest integer greater than log 2 (p — 1). Then FT modulo 
2* may be implemented in 0(t 2 ) = 0((logp) 2 ) steps. If we use FT modulo 2* in place of FT 
modulo p — 1 in the above algorithm then we will obtain a larger set of possible output pairs 
(£1, £2) with varying probabilities. However as in the case of factoring, these pairs will lie with 
high probability sufficiently near to the "good" pairs (£1, —yh) where l\ is coprime to p — 1, 
so that y may still be determined. The details of dealing with the nearby pairs and assessing 
their probabilities, are quite involved and given in M. 



5 The abelian hidden subgroup problem 

Given the above developments it is exciting to observe that the concept of periodicity and the 
construction of the Fourier transform may be generalized to apply to any finite group G. Our 
discussion so far pertains simply to the special cases of the additive group of integers modulo 
N (for factoring) and the product group Z v _\ x Z p _\ (for evaluating discrete logarithms). 
The generalized viewpoint will also provide considerable insight into the workings of the 
Fourier transform. We will now outline the essential ideas involved restricting attention in 
this section to the case of finite abelian groups. 

Let G be any finite abelian group. Let / : G — > X be a function on the group (taking 
values in some set X) and consider 

K = {k € G : f(k + g) = f(g) for all g G G} (14) 

(Note that we write the group operation in additive notation). K is necessarily a subgroup 
of G called the stabilizer or symmetry group of /. It characterizes the periodicity of / with 
respect to the group operation of G. For factoring where G was Zn, K was the cyclic 
subgroup of all multiples of r. 

The condition ( |l4l ) is equivalent to saying that / is constant on the cosets of K in G. 
(Recall that the cosets are subsets of G of the form g + K = {g + k : k £ K} and they 
partition all of G into disjoint parts of equal size \K\). 
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Given a device that computes /, our aim is to suitably determine the "hidden subgroup" 
K e.g. we may ask for a set of generators for K or for an algorithm that outputs a ran- 
domly chosen element of K. More precisely we wish to obtain this information in time 
0(poly(log |G|)) where |G| is the size of the group and the evaluation of / on an input counts 
as one computational step. (Note that we may easily determine K in time 0(poly(|G|)) 
by simply evaluating and examining all the values of /). We begin as in our examples by 
constructing the state 

I/) = -J= J2 b) 1/(5)) 



sec 

and read the second register. Assuming that / is suitably non-degenerate - in the sense that 
f(gi) = /(<?2) iff 9i — 92 G K i.e. that / is one-to-one within each period - we will obtain in 
the first register 

1^0)) = —^- V \g + k) (15) 




corresponding to seeing f(go) in the second register and go has been chosen at random. In 
eq. (15) we have an equal superposition of labels corresponding to a randomly chosen coset 



of K in G. Now G is the disjoint union of all the cosets so that if we read the label in eq. 
( |i~5D we will see a random element of a random coset, i.e. a label chosen equiprobably from 
all of G, yielding no information at all about K. 

The general construction of a "Fourier transform on G" will provide a way of eliminating 
go from the labels (just as in the case of Z^) and the resulting state will then provide direct 
information about K. Let 7i be a Hilbert space with a basis {\g) : g G G} labeled by the 
elements of G. Each group element gi G G gives rise to a unitary "shifting" operator U(gi) 
on TL defined by 

U(gi)\g) = \g + gi) for all g 

For any coset go + K let us write \go + K) for the uniform superposition —7= J2keK Iffo + k). 



Note that the state in eq. ( |i~5| ) may be written as a go-shifted state: 

\g + K) = U(g )\K) (16) 

Our basic idea now is to introduce into TL a new basis {\Xg) : 5 G G} of special states 
which are shift-invariant in the sense that 

U(gi)\Xg 2 ) = e l ^^\x g2 ) far all <7i >g2 

i.e. the |Xg)' s are the common eigenstates of all the shifting operations U{g). Note that 
the U{gYs all commute (since the group is abelian) so such a basis of common eigenstates 
is guaranteed to exist. Then according to eq. ( |l6| ) if we view \K) and \go + K) in the new 
basis, they will contain the same pattern of labels determined by the subgroup K only, and 
corresponding amplitudes will differ only by phase factors. Thus the probability distribution 
of the outcomes of a measurement in the new basis will directly provide information about 
the subgroup K. More precisely it may be shown |ll| (and cf below) that this measurement 
provides a uniform random sample from the so-called dual group of K in G. 

The Fourier transform T on G is defined to simply be the unitary transformation which 
rotates the shift invariant basis back to the standard basis: 

F\Xg) = \g) for all g 
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Hence to read \ip(go)) in the new basis we just apply T and read in the standard basis. 

To give an explicit construction of T it suffices to give the states \x g ) written as compo- 
nents in the standard basis. There is a standard way of calculating these components based 
on constructions from group representation theory. An introduction with further references 
is given in [1C, 11 1 and here we will summarize the main points. If we write 



\ X i) = £ Xl(9) \g) for each I G G (17) 

then we can take the functions xi '■ G — > C to be the \G\ irreducible representations of the 
group G. Then the basic theorems of group representation theory (cf for example flTOfl ) guar- 
antee that the states \xi) are orthonormal and have the required shift invariant property. 
Indeed shift invariance is a direct consequence of the basic defining property of a represen- 
tation: x(dl +92) = x{9i)x{92)- For the group Zn the irreducible representations are given 
by Xk(j) = exp2irijk/N for j, k G Z N and 

-, JV-l 
IX,) = 4r E \J) 



leading to the Fourier transform formula given in eq. (H). 

Which labels I appear in T \g§ + K)l It suffices to consider T \K) and from eq. ( |l7|) we 
get directly 

Now, for Abelian groups, the restriction of xi from G to K is an irreducible representation of 
K and the orthogonality relations for irreducible representations give that ^2keKXi(k) = 
for all xi' s except the trivial representation defined by xi(k) = 1 fo r a ll k G K. In the latter 
case we have YlkeK Xlity = \K\. Hence T\K) is a uniform superposition of the |G|/|if| labels 
/ such that xi restricts to the trivial representation on K. UK has a generator r then the 
latter condition is equivalent to xi{ r ) = 1 as we saw in the example of factoring and discrete 
logarithms (where r = (y, 1)). Thus we are able to uniformly sample from this set of labels, 
which distinguishes the possible K f s. This completes the quantum part of the algorithm but 
to convert this into an explicit description of K (say an actual set of generators) we need to 
use further mathematical properties of G e.g. properties of co-primality as illustrated in our 
examples. 

The above group-theoretic framework serves to generalize and extend the applicability 
of the quantum algorithm for periodicity determination. For example Simon considered the 
following problem: suppose that we have a black box which computes a function / from n-bit 
strings to n-bit strings. It is also promised that the function is "two-to-one" in the sense that 
there is a fixed n-bit string £ such that 

f(x + £) = f(x) for all n-bit strings x. (18) 

(Here + denotes binary bitwise addition of n bit strings.) Our problem is to determine £. 
To see that this is just a generalized periodicity determination note that in the group {Z2) 71 



of n-bit strings, every element satisfies x + x = 0. Hence eq. (18) states just that / is periodic 



on the group with periodicity subgroup K = {0, £}. Thus to determine £ we construct the 
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Fourier transform on the group of n-bit strings and apply the standard algorithm above. The 
relevant Hilbert space H with a basis labeled by n-bit strings is just a row of n qubits. The 
irreducible representations of the group Z^ are the functions f x (y) = (— l) XlVl . . . (— \) XnVn 
where and y = yx-.-Vn are n bit strings. Thus the Fourier transform may be 

easily seen [11| to be just the application of the 1-qubit Hadamard transform: 




H = 

to each of the n qubits. The resulting quantum algorithm for determining the hidden subgroup 
then reproduces Simon's original algorithm Q. It determines £ in 0(n 2 ) steps whereas it 
may be argued H that any classical algorithm must evaluate / at least 0(2 n ) times. 



6 Non-abelian groups 

We will now consider the hidden subgroup problem in the situation where G and the subgroup 
K may be non-abelian i.e. we have / : G — > X which is constant on the (left) cosets of K in 
G. We now also write the group operation multiplicatively. As before our algorithm begins 
in the same way by producing the state \qqK) where g$ has been chosen at random. The 
passage from abelian to non-abelian groups is accompanied by various potential conceptual 
problems: 

(a) (Construction of non-abelian Fourier transform). For abelian groups the irreducible 
representations are always one dimensional (i.e. the functions \i m ec l- (0)) whereas for 
non-abelian groups they are functions x '■ G — > U(d) taking values in the set U(d) of all 
d x d unitary matrices for suitable values of d. According to a basic theorem of group 
representation theory Q, if di...,d m are the dimensions of a complete set of irreducible 
unitary representations Xlj • • • > Xm then d\ + . . . + d^ = \G\. Let us write Xi,jk{g) for the 
(j, k)th component of the unitary matrix Xi(d)- Thus as k vary we get \G\ complex valued 
functions and as in eq. (|l7| ) we may define the \G\ states: 

\Xi,jk) = -™ Xi,jk(g) \g) ■ 

The orthogonality relations of irreducible representations || guarantee that these are again 
orthonormal states, called the Fourier basis, and the non-abelian Fourier transform is defined 
as the unitary operation that rotates this basis into standard position. In the abelian case, 
j and k take only the value 1 and may be omitted. The Fourier basis may be grouped into 
m subsets of sizes d\ , . . . , d^ according to the value of i and we may consider the associated 
incomplete von Neumann measurement which distinguishes only the various representations. 
We will denote this incomplete measurement by A4 rep and it will be important later (cf (d) 
below). 

(b) (Efficient implementation of non-abelian FT). For the efficiency of our quantum al- 
gorithms it is important that FT be implementable in poly(log |G|) computational steps. In 
the abelian case this was a consequence of the FFT formalism. Fortunately this formalism 
extends to the non-abelian case too j^] requiring only that the group contains a suitable 
tower of subgroups. For the standard FFT on this tower is Hq C H\ C . . . C i?2™ where 

is the subgroup of multiples of 2 n ~ k in Z^n. A fundamental non-abelian group is the 
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permutation group G = V n on n symbols. V n contains the tower V\ C V2 C . . . C V n and 
its FT has been shown to be efficiently implementable [13]. 

(c) (Description of subgroups). Our quantum algorithm should provide distinguishable 
outputs for different possible subgroups K. In that case we say that the subgroup has 
been information-theoretically determined. However in general it may still be a difficult 
computational task to identify the actual subgroup from the output result. For finite abelian 
groups a fundamental structure theorem Q asserts that any such group is isomorphic to a 
direct product of groups of the form Z n . In this case any subgroup K will have a simple 
poly(log \ G\) sized description given by a list of generators, which we can require as the output 
of the algorithm. For non-abelian groups the classification of possibilities is not so simple. 
For example even the problem of deciding whether or not two sets of generators and relations 
give isomorphic groups, is known to be uncomputable! Q . Furthermore it is not appropriate 
to ask for a list of all elements of K as this may be of size 0(|G|) i.e. exponentially large 
in log I G| . We may circumvent these difficulties of description by asking for less - instead 
of characterising K per se, we may for example ask that the algorithm outputs a randomly 
chosen element of K or determines whether or not some chosen property of a subgroup holds 
for the hidden subgroup. 

(d) (Shift invariance). In the preceding section we used the existence of the shift invariant 
basis \xi) to give some intuitive insight into why FT is useful for abelian hidden subgroups. 
It provided a means of eliminating the effects of a randomly chosen go in the state \go + K). 
The existence of a shift invariant basis relies on the commuting of the shift operators U(g) and 
this is a consequence of the abelian-ness of G. In the non-abelian case such a basis will not 
exist. However a restricted form of shift invariance still survives because of the multiplicative 
property of representations: Xi(9i92) = Xi(<?i)Xi(<72) (where the RHS is multiplication of 
di x di unitary matrices). If we perform a complete measurement for the labels i, j, k (as in (a) 
above) on the state \gK) then the resulting probability distribution will not be independent of 
g. However if we perform the incomplete measurement A4 rep then it is a simple consequence 
||] of the above multiplicative property that the outcome distribution is independent of g, 
providing direct (but generally incomplete) information about K itself. (In the abelian case 
this distribution is the uniform distribution over the dual group of K in G) . In a similar way 
if K and L are conjugate subgroups (i.e. L = g^Kg^ 1 for some go) then any coset states 
\giK) and \g2L) will also give identical output distributions and hence the measurement 
M rep cannot distinguish conjugate subgroups. (In the abelian case this is not a problem 
since subgroups are conjugate if and only if they are equal). 

There is no known efficient quantum algorithm that will solve the hidden subgroup prob- 
lem in general but we have various significant partial results. 

Let G be any finite group and assume that the FT on G can be efficiently computed. 
Under this assumption, Hallgren, Russell and Ta-Shma have shown that the hidden sub- 
group problem may be efficiently solved for any normal subgroup K of G. We proceed as 
usual by first constructing a randomly chosen coset state \goK) (as in section 4) and then 
performing the measurement Ai rep in (a) (by performing FT and reading the representation 
labels i only). It is shown in |5[ that K may be reconstructed with high probability from 
0(log |Gr|) repetitions of this procedure i.e. the 0(log|G|) measurement outcomes determine 
K information theoretically. 

For abelian groups G (where all subgroups are normal) this would solve the general 
abelian hidden subgroup problem, except that FT cannot be exactly implemented efficiently 
for a general abelian G. Recall that in the examples of factoring and discrete logarithms 
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we needed to replace the Fourier transform by a slightly larger one - in a dimension that 
was a power of 2 - to take advantage of the FFT formalism. This approximation to the 
true FT on G was sufficiently close to still allow the determination of the abelian hidden 
subgroup. Kitaev |§ has described similar efficient approximations to the FT on any abelian 
group which should suffice for our purposes. Also, in view of (c) above, we could ask that 
the algorithm in the abelian case determines K more explicitly - by outputting an actual set 
of generators as in the examples of factoring and discrete logarithms. Again this should be 
possible but the detailed description of an efficient quantum algorithm for the general abelian 
hidden subgroup problem seems not to have been described in the literature (although the 
essential ingredients appear to be implicit in the work of Kitaev Q and Shor's treatment |?j 
of factoring and discrete logarithms). 



Returning to the most general hidden subgroup problem, Ettinger, Hoyer and Knill [14] 
have shown that N = 0(log preparations of random coset states \g\K) , . . . , \gj\fK) always 
suffice to determine K information theoretically i.e. there exists a quantum observable on the 
state \g\K) tg) \g2K) (g) . . . (g> \g^K) which will distinguish all possible -fT's with high probability 
(for any random choices of gx, ... , #tv). However it is not known how to efficiently implement 
such an observable in general. For the special case of normal K's the result of Hallgren, 
Russell and Ta-Shma gives precisely such an efficiently implementable observable. 

To conclude we will describe an important open question which can be formulated as a 
non-abelian hidden subgroup problem. This is the so-called graph isomorphism problem. 

An (undirected) graph A with n vertices labeled 1,2, ... ,n may be described by an n by 
n matrix Ma with entries that are either or 1. The ij entry is 1 if and only if the graph 
has an edge joining vertices i and j (and we assume that A always has at most one edge 
joining two vertices). Let V n denote the group of all permutations of n symbols 1,2, ... ,n. 
Two graphs A and B are said to be isomorphic if B can be made identical to A by a re- 
labeling of its vertices i.e. if there exists a permutation IT 6 V n such that Ma is obtained 
by simultaneously permuting the rows and columns of Mb by II. The symmetry group of 
any graph A on n vertices is the subgroup of all permutations II which leave Ma unchanged 
when II is applied to the rows and columns simultaneously. The graph isomorphism problem 
is the following: given two connected graphs A and B, each on n vertices, determine whether 
they are isomorphic or not. We wish to perform this efficiently i.e. in poly(n) steps. There 
is no known efficient classical solution. 

To re-formulate this problem as a hidden subgroup problem, let C be the graph which 
is the disjoint union of A and B, having 2n vertices labeled 1,2, ... ,n,n + 1, ... ,2n where 
1, 2, . . . , n label A and n + 1, . . . , 2n label B. The symmetry group K of C is evidently a 
subgroup of Vm but we can say more: since A and B are connected and C is the disjoint 
union, any symmetry of C must either separately permute the sets of labels La = {1, 2, . . . , n} 
and Lb = {n + 1, . . . , 2n} or else swap the two sets entirely. Thus if H denotes the group 
~P n x V n and a is the permutation of 1, 2, . . . , 2n that swaps the two sets Sa and Sb in their 
listed order, then K will always be a subset of the group G = H U aH. H is the subgroup 
of G containing all permutations that map Sa and Sb into themselves whereas aH is its 
one other coset, of all permutations that swap the elements of 5,4 and Sb (in some arbitrary 
order). Now we may easily verify the following facts: 

(i) if A and B are not isomorphic then K lies entirely in H, 

(ii) if A and B are isomorphic then exactly half of the members of K are in H and half are 
in aH. 

Given any element II £ G it is easy to check whether it lies in H or aH (e.g. we just 
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compute 11(1) and check whether it is < n or > n + 1). Hence we will have efficiently solved 
the graph isomorphism problem if we are able to randomly sample from the elements of K. 
This is a weak form of the hidden subgroup problem in which we are not asking for the full 
information of K but merely whether it overlaps aH by half of its elements or is disjoint from 
aH, knowing that one of these two must always holds. In our standard algorithm the function 
/ used to generate the random coset state \goK) is the efficiently computable / : G — > X 
where X is the set of all matrices of size 2n x 2n with 0,1 entries and /(II) is the matrix 
obtained by permuting the rows and columns of Mq by II. 

Unfortunately none of the known partial results about efficient quantum algorithms for 
determining hidden subgroups seem to apply to this formulation of the graph isomorphism 
problem and the possibility of an efficient solution remains an open challenge. However 
given the already demonstrated success and mathematical elegance of the Fourier transform 
formalism we can be optimistic that an efficient algorithm might be derived along these lines. 
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